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Abstract. Separation Logic is a widely used formalism for describing dynam- 
ically allocated linked data structures, such as lists, trees, etc. The decidability 
status of various fragments of the logic constitutes a long standing open problem. 
Current results report on techniques to decide satisfiability and validity of entail- 
ments for Separation Logic(s) over lists (possibly with data). In this paper we 
establish a more general decidability result. We prove that any Separation Logic 
formula using rather general recursively defined predicates is decidable for satis- 
fiability, and moreover, entailments between such formulae are decidable for va- 
lidity. These predicates are general enough to define (doubly-) linked lists, trees, 
and structures more general than trees, such as trees whose leaves are chained in 
a list. The decidability proofs are by reduction to decidability of Monadic Second 
Order Logic on graphs with bounded tree width. 



1 Introduction 

Separation Logic (SL) [17] is a general framework for describing dynamically allo- 
cated mutable data structures generated by programs that use pointers and low-level 
memory allocation primitives. The logics in this framework are used by an important 
number of academic (Space Invader [1], Sleek [16] and Predator [9]), as well 
as industrial-scale (Infer [7]) tools for program verification and certification. These 
logics are used both externally, as property specification languages, or internally, as 
e.g., abstract domains for computing invariants, or for proving verification conditions. 
The main advantage of using SL when dealing with heap manipulating programs, is the 
ability to provide compositional proofs, based on the principle of local reasoning i.e., 
analyzing different sections (e.g., functions, threads, etc.) of the program, that work on 
disjoint parts of the global heap, and combining the analysis results a-posteriori. 

The basic language of SL consists of two kinds of atomic propositions describing 
either (i) the empty heap, or (ii) a heap consisting of an allocated cell, connected via a 
separating conjunction primitive. Hence a basic SL formula can describe only a heap 
whose size is bounded by the size of the formula. The ability of describing unbounded 
data structures is provided by the use of recursive definitions. Figure 1 gives several 
common examples of recursive data structures definable in this framework. 

The main difficulty that arises when using Separation Logic with Recursive Def- 
initions (SLRD) to reason automatically about programs is that the logic, due to its 
expressiveness, does not have very nice decidability properties. Most dialects used in 
practice restrict the language (e.g., no quantifier alternation, the negation is used in a 
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Fig. 1. Examples of recursive data structures definable in SLRD. 



very restricted ways, etc.) and the class of models over which the logic is interpreted 
(typically singly-linked lists, and slight variations thereof). In the same way, we ap- 
ply several natural restrictions on the syntax of the recursive definitions, and define the 
fragment SLRD^w, which guarantees that all models of a formula in the fragment have 
bounded tree width. Indeed, this ensures that the satisfiability and entailment problems 
in this fragment are decidable without any restrictions on the type of the recursive data 
structures considered. 

In general, the techniques used in proving decidability of Separation Logic are ei- 
ther proof-based ([16, 2]), or model-based ([5, 8]). It is well-known that automata the- 
ory, through various automata-logics connections, provides a unifying framework for 
proving decidability of various logics, such as (W)SkS, Presburger Arithmetic or MSO 
over certain classes of graphs. In this paper we propose an automata- theoretic approach 
consisting of two ingredients. First, SLRLV W formulae are translated into equivalent 
Monadic Second Order (MSO) formulae over graphs. Second, we show that the models 
of SLRDfew formulae have the bounded tree width property, which provides a decid- 
ability result by reduction to the satisfiability problem for MSO interpreted over graphs 
of bounded tree width [18], and ultimately, to the emptiness problem of tree automata. 

Related Work The literature on defining decidable logics for describing mutable data 
structures is rather extensive. Initially, first-order logic with transitive closure of one 
function symbol was introduced in [11] with a follow-up logic of reachability on com- 
plex data structures, in [19]. The decision procedures for these logics are based on 
reductions to the decidability of MSO over finite trees. Along the same lines, the logic 
PALE [15] goes beyond trees, in defining trees with edges described by regular routing 
expressions, whose decidability is still a consequence of the decidability of MSO over 
trees. More recently, the Csl logic [4] uses first-order logic with reachability (along 
multiple selectors) in combination with arithmetic theories to reason about shape, path 
lengths and data within heap structures. Their decidability proof is based on a small 
model property, and the algorithm is enumerative. In the same spirit, the STRAND logic 
[14] combines MSO over graphs, with quantified data theories, and provides decidable 
fragments using a reduction to MSO over graphs of bounded tree width. 

On what concerns SLRD [17], the first (proof-theoretic) decidability result on a 
restricted fragment defining only singly-linked lists was reported in [2], which describe 
a coNP algorithm. The full basic SL without recursive definitions, but with the magic 
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wand operator was found to be undecidable when interpreted in any memory model 
[6]. Recently, the entailment problem for SLRD over lists has been reduced to graph 
homomorphism in [8], and can be solved in PTIME. This method has been extended 
to reason nested and overlaid lists in [10]. The logic SLRD ttw, presented in this paper 
is, to the best of our knowledge, the first decidable SL that can define structures more 
general than lists and trees, such as e.g. trees with parent pointers and linked leaves. 

2 Preliminaries 

For a finite set S, we denote by ||5|| its cardinality. We sometimes denote sets and se- 
quences of variables as x, the distinction being clear from the context. If x denotes a 
sequence, (x), denotes its z'-th element. For a partial function / : A — >■ B, and _L ^ B, we 
denote f(x) = _L the fact that / is undefined at some point xgA.By/[a<-&] we denote 
the function Xx . if x = a then b else f(x) . The domain of / is denoted dom(f) = {xeA 
f(x) ^ _L}, and the image of / is denoted as img(f) = {y e B \ 3x e A . f(x) = y}. By 
/ : A -^fin B we denote any partial function whose domain is finite. Given two partial 
functions f,g defined on disjoint domains, we denote by f ®g their union. 

Stores, Heaps and States. We consider PVar = {u, v, w, . . .} to be a countable infinite 
set of pointer variables and hoc = {l,m,n, . . .} to be a countable infinite set of memory 
locations. Let nil G PVar be a designated variable, null e hoc be a designated location, 
and Sel = {1,. . . ,S}, for some given S > 0, be a finite set of natural numbers, called 
selectors in the following. 

Definition 1. A state is a pair {s,h} where s : PVar Loc is a partial function mapping 
pointer variables into locations such that s(nil) = null, and h : Loc —^fi n Sel —^ftn Loc 
is a finite partial function such that (i) null £ dom(h) and (ii) for all I G dom(K) there 
exist k G Sel such that (h(l))(k) ^ _L. 

Given a state S = (s,h), s is called the store and h the heap. For any k G Sel, we write 

h k {£) instead of {h{£))(k), and 1 4 f for h k (£) = I'. We sometimes call a triple 1 4 £' an 

edge, and k is called a selector. Let Img(h) — \J f eL()C img(h(£)) be the set of locations 
which are destinations of some selector edge in h. A location I G Loc is said to be 
allocated in (s,h) if I G dom(h) (i.e. it is the source of an edge), and dangling in (s,h) 
if £ € \img(s) Ulmg(h)] \ dom(h), i.e., it is either referenced by a store variable, or 
reachable from an allocated location in the heap, but it is not allocated in the heap itself. 
The set loc(S) — img(s) U dom(h) U Img(h) is the set of all locations either allocated or 
referenced in a state S — (s,h). 

Trees. Let E be a finite label alphabet, and N* be the set of sequences of natural num- 
bers. Let e G N* denote the empty sequence, and p.q denote the concatenation of two 
sequences p,q G N*. A tree t over E is a finite partial function t : W — x fi„ E, such that 
dom(f) is a finite prefix-closed subset of N*, and for each p G domif) and ;' G N, we 
have: t(p.i) / _L => V0 < j < i . t(p.j) ^ _L. Given two positions p,q<E domif), we say 
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that q is the z'-th successor (child) of p if q = p.i, for ;' G N. Also q is a successor of p, 
or equivalently, p is the parent of q, denoted p = parent(q) if q = p.i, for some i £ N. 

We will sometimes denote by r D(t) = {—1,0,...,N} the direction alphabet of t, 
where N = max{i £ N | p.i £ dom(t)}. The concatenation of positions is defined over 
r D(t) with the convention that p.(— 1) = q if and only if = q.i for some z € N. We 
denote D+{t) = T>(t) \ { — 1}. A path in t, from /?i to p/,, is a sequence p\,p2, ■■■,pi c & 
dom{t) of pairwise distinct positions, such that either p t = parent{p i+ \) or p i+ \ = 
parent (pi), for all 1 <i <k. Notice that a path in the tree can also link sibling nodes, 
not just ancestors to their descendants, or viceversa. However, a path may not visit the 
same tree position twice. 

Tree Width. A state (Def. 1) can be seen as a directed graph, whose nodes are loca- 
tions, and whose edges are defined by the selector relation. Some nodes are labeled by 
program variables (PVar) and all edges are labeled by selectors {Set). The notion of 
tree width is then easily adapted from generic labeled graphs to states. Intuitively, the 
tree width of a state (graph) measures the similarity of the state to a tree. 

Definition 2. Let S — (s,h) be a state. A tree decomposition ofS is a tree t : N* —*-fm 
2 loc ( s \ labeled with sets of locations from loc(S), with the following properties: 

1. loc(S) = \J p edom{t) { (p)> tne tree covers the locations ofS 

2. for each edge l\ —> h in S, there exists p £ dom(t) such that h,h £ t{p) 

3. for each p,q,r £ dom(t), if q is on a path from p to r in t, then t(p) Dt(r) C t(q) 

The width of the decomposition is w(t) = msa. pet i om ^{\\t(p)\\ — 1}. The tree width ofS 
is tw(S) = min{w(f ) | t is a tree decomposition ofS}. 

A set of states is said to have bounded tree width if there exists a constant k > such 
that tw(S) < k, for any state S in the set. Figure 2 gives an example of a graph (left) and 
a possible tree decomposition (right). 



2.1 Syntax and Semantics of Monadic Second Order Logic 

Monadic second-order logic (MSO) on states is a straightforward adaptation of MSO on 
labeled graphs [13]. As usual, we denote first-order variables, ranging over locations, 




Fig. 2. A graph and a possible tree decomposition of width 2 
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by x,y, ... , and second-order variables, ranging over sets of locations, by X,Y, The 

set of logical MSO variables is denoted by LVar mso , where PVarC\LVar mso = 0. 

We emphasize here the distinction between the logical variables LVar mso and the 
pointer variables PVar: the former may occur within the scope of first and second order 
quantifiers, whereas the latter play the role of symbolic constants (function symbols of 
zero arity). For the rest of this paper, a logical variable is said to be free if it does not 
occur within the scope of a quantifier. By writing q>(x), for an MSO formula (p, and a 
set of logical variables x, we mean that all free variables of (p are in x. 

The syntax of MSO is defined below: 

it £ PVar; x,X £ LVar mso ; k £ N 

q) ::= x = y \ var u (x) | edge\\x,y) \ null(x) \ X(x) (p Acp | -i(p | =bc.<p | 3X.(f 

The semantics of MSO on states is given by the relation 5,1, V |= mso <P, where S = (s,h) 
is a state, I : {x,y,z, ■ ■ ■} — ^fin Loc is an interpretation of the first order variables, and v : 
{X,Y,Z, . . .} -^-fm 2 Loc is an interpretation of the second order variables. If S,l,V \=mso <P 
for all interpretations I : {x,y,z, ■ ■ ■} —^ftn Loc and V : {X,Y,Z, . . .} — ^ 2 Loc , then we 
say that S is a model of (p, denoted S (= mso <P- We use the standard MSO semantics [18], 
with the following interpretations of the vertex and edge labels: 



The satisfiability problem for MSO asks, given a formula (p, whether there exists a state 
S such that S \=mso <P- This problem is, in general, undecidable. However, one can show 
its decidability on a restricted class of models. The theorem below is a slight variation 
of a classical result in (MSO-definable) graph theory [18]. For space reasons, all proofs 
are given in [12]. 

Theorem 1. Let k > be an integer constant, and (p be an MSO formula. The problem 
asking if there exists a state S such that tw(S) < k and S \= mso (p is decidable. 

2.2 Syntax and Semantics of Separation Logic 

Separation Logic (SL) [17] uses only a set of first order logical variables, denoted 
as LVar s [, ranging over locations. We suppose that LVar s i Pi PVar = % and LVar s i (1 
LVarmso = 0. Let Var s i denote the set PVarL)LVar s i. A formula is said to be closed if 
it does not contain logical variables which are not under the scope of a quantifier. By 
writing (p(x) for an SL formula (p and a set of logical variables x, we mean that all free 
variables of (p are in x. 

Basic Formulae. The syntax of basic formula is given below: 




S,l,v\=ms edge k (x,y) h k (\(x)) = \(y) 



a £ Var s i\{nil}; p £ Var s i; x £ LVar s i 
7i ::= a = p | p 1 7ti Ak 2 

a ::= emp \ a i->- (pi, . . . , p„) Oi *<52 , for some n > 
(p ::= 71 AO | 3x . (p 
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A formula of the form f\" =1 a, = P, A AJLi a j ^ Pi defined by n in the syntax above 
is said to be pure. If II is a pure formula, let II* denote its closure, i.e., the equivalent 
pure formula obtained by the exhaustive application of the reflexivity, symmetry, and 
transitivity axioms of equality. A formula of the form -A-f =1 OC, n> (f^i, . . . , P (] „) defined 
by o in the syntax above is said to be spatial. The atomic proposition emp denotes the 
empty spatial conjunction. For a spatial formula E, let E| be the total number of variable 
occurrences in E, e.g. \emp\ = 0, a H> (Pi, . . . , P„)| =n + 1, etc. 

The semantics of a basic formula (p is given by the relation 5,1 \= s i (p where S = (s, h) 
is a state, and I : LVar s i -^fi n Loc is an interpretation of logical variables from (p. For a 
closed formula (p, we denote by S \= s i (p the fact that S is a model of (p. 

S,l \= s i emp dom(h) = 

S,l \= s i on (pi,...,p„) <==^ h = {((s®i)(a),Xi . if ;' < n then (s©l)(P,-) else J.)} 
5,1 \= s i (pi * q) 2 Si, I \=si cpi and S 2 ,l K/ <P2 where Si W S 2 = S 

The semantics of =, ^, A, and 3 is classical. Here, the notation Si W S 2 = 5 means 
that S is the union of two states Si = (si,/ii) and S 2 = (s 2 ,^ 2 ) whose stacks agree on 
the evaluation of common program variables (Va £ PVar . si(a) ^ _L A s 2 (a) 7^ _L ^> 
si(oc) = ^ 2 (oc)), and whose heaps have disjoint domains (dom{h\)V\dom(Ji'i) = 0) i.e., 
S = (s 1 U s 2 , h\ © I12) ■ Note that we adopt here the strict semantics, in which a points-to 
relation a M> (Pi, . . . ,P„) holds in a state consisting of a single cell pointed to by a, 
with exactly n outgoing edges towards dangling locations pointed to by Pi , ... , P„, and 
the empty heap is specified by emp. 

Every basic formula (p is equivalent to an existentially quantified pair E A II where 
E is a spatial formula and II is a pure formula. Given a basic formula (p, one can define 
its spatial (E) and pure (II) parts uniquely, up to equivalence. A variable a £ Var is said 
to be allocated in (p if and only if a i->- (...) occurs in E. It is easy to check that an 
allocated variable may not refer to a dangling location in any model of (p. A variable p 
is referenced if and only if a n> (. . . , p, . . .) occurs in E for some variable a. For a basic 
formula (p = E All, the size of (p is defined as |(p| = |E|. 

Lemma 1. Let cp(x) be a basic SLformula, S = (s,h) be a state, andl : LVar s [ —^fi n Loc 
be an interpretation, such that S,l |=^ <p(x). Then tw(S) < max(|(p|, ||PVar||). 

Recursive Definitions. A system fP of recursive definitions is of the form: 
Pi(xu,...,xi ini ) ::= /?i,y(xi,i,...,xi lBl ) 

Pk(xic,i,- ■ ■ ,x k ,„ k ) ::= 1"=! Rkj{xk,i,- ■ ■ ,Xk,n k ) 

where P\,...,Pk are called predicates, x, 1 , . . . ,x, „ i are called parameters, and the for- 
mulae Rij are called the rules of P ( . Concretely, a rule Rjj is of the form Rij(x) = 
3z . E*Pjj(yi) *... *P, m (y m ) A n, where E is a spatial SL formula over variables xUz, 
called the head of P;j, (p, (yi), . . . ,Pi m {y m )) is an ordered sequence of predicate oc- 
currences, called the tail of Rjj (we assume w.l.o.g. that x Dz = 0, and that y^ C x Uz, 
for all k = 1 , . . . , m), II is a pure formula over variables x U z. 



6 



Without losing generality, we assume that all variables occurring in a rule of a recur- 
sive definition system are logical variables from LVar s i - pointer variables can be passed 
as parameters at the top level. We subsequently denote head(Rij) = E, tail(Rjj) = 
{Pikiy k))"k=\ an d P ure {Ri,j) = n, for each rule Rules with empty tail are called 
base cases. For each rule let ||/?ij|| var = ||z|| + ||x|| be the number of variables, 
both existentially quantified and parameters, that occur in We denote by ||fP|| var = 
max{||/? I 'j|| v< "' 1 < i < k, 1 < j < m,} the maximum such number, among all rules in 
•P. We also denote by <D(P) = {-1,0, . . . ,max{\tail(Rij)\ | 1 <i <k, 1 <j <m,}-l} 
the direction alphabet of P. 

Example. The predicate til describes a data structure called a tree with parent pointers 
and linked leaves (see Fig. 3(b)). The data structure is composed of a binary tree in 
which each internal node points to left and right children, and also to its parent node. In 
addition, the leaves of the tree are kept in a singly-linked list, according to the order in 
which they appear on the frontier (left to right). 

tll(x,p,leafi,leaf r ) ::= x i-> (nil, nil, p, lea f r ) Ax = leafi (Ri) 
3l,r,z. x n> (l,r,p,nil) *tll(l,x,leaf,z) *tll(r,x,z,leaf r ) (R2) 

The base case rule (R\) allocates leaf nodes. The internal nodes of the tree are allocated 
by the rule (R2), where the ttl predicate occurs twice, first for the left subtree, and 
second for the right subtree. □ 

Definition 3. Given a system of recursive definitions P = {P,- ::= /?/,_/ }? =1 , an 
unfolding tree of P rooted at ;' is a finite tree t such that: 

1. each node oft is labeled by a single rule of the system P, 

2. the root oft is labeled with a rule of Pi, 

3. nodes labeled with base case rules have no successors, and 

4. if a node u of t is labeled with a rule whose tail is P;j(yi) * ... *Pi m {y m ), then the 
children of u form the ordered sequence vi, . . . , v m where vj is labeled with one of 
the rules ofPij for all j = 1 , . . . , m. 

Remarks. Notice that the recursive predicate P(x) ::~ Ely . x n> y * P(y) does not have 
finite unfolding trees. However, in general a system of recursive predicates may have 
infinitely many finite unfolding trees. □ 
In the following, we denote by %{P) the set of unfolding trees of P rooted at ;'. An 
unfolding tree t 6 %{P) corresponds to a basic formula of separation logic called 
the characteristic formula of t , and defined in what follows. For a set of tree positions 
P C N*, we denote LVar p = {x p \ x g LVar, p e P}. For a tree position p G N* and 
a rule R, we denote by R p the rule obtained by replacing every variable occurrence x 
in R by x p . For each position p G dom(t), we define a formula (j)f , by induction on the 
structure of the subtree of t rooted at p: 

- if p is a leaf labeled with a base case rule R, then = R p 

-Hp has successors p.l,...,p.m, and the label of p is the recursive rule R(x) = 
3z . head(R) * *™ =1 f > , j .(y / ) A pure(R), then: 

#V) = 3z p . head(R p ) * ★'•lipx^' . ^{xfp Ay p = xf; 1 '] A pure(R p ) 
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In the rest of the paper, we write (j), for fyf. Notice that (j) f is defined using the set of 
logical variables LVar dom ('\ instead of LVar. However the definition of SL semantics 
from the previous carries over naturally to this case. 

Example, (cont'd) Fig. 3(a) presents an unfolding tree for the til predicate given in the 
previous example. The characteristic formula of each node in the tree can be obtained 
by composing the formulae labeling the children of the node with the formula labeling 
the node. The characteristic formula of the tree is the formula of its root. □ 



3l c ,r c ,z c .x c ^(l',r c ,p',nii)A 
3x° , p° .leaf, leafi J . P ' . '«»/? ■ '«"/,' ■ 
l"=x°Ax e = p°Aleaf = leaf A f = leaf A 
I s =x' Ai' = p' Az e = leaf} Aleaf = leaf' 

3l»,l»,jf'jr»^(l«,l»,/,»«)A / £ \ ^l',r',z'.x'^(l',r',p',nit)A Y ■ \ X 

^ ,p m .leaf , lea f ,x"' J' .leaf ' .leaf ';. 3x\ ,p'",leaf "jeaf.x" ,p" .leaf," , leaf . , X. \ 

f> = x m Ax° = p m Aleaf = leaf Az« = leaf A l' => Ax' = p m Aleaf = leaf Az> = leaf A /J^\ YV\ 

r°=x m Ax<> = p m Az" = teaf Aleaff = l'eaf' r 1 = x'Xax' = p u Az l = leaf Aleaf = leaf J V \S \ /V \j 

/ \ ^..-^...^...>. 

x w ^>(nil,nU,p m ,leaf>) \\ / * 10 h» (nil, nil, p">, leaf) \\ (b) 
toF> = leajp '\\ / Ax la = leaf> \\ 

x ' i-> (iB/,nfl, , Wi? 1 ) .v 1 1 i-» (nif, mlp" , /« a/, 1 1 ) 

Ax m =leaf Ax' 1 = leaf 

(a) 

Fig. 3. (a) An unfolding tree for til predicate and (b) a model of the corresponding formula 



Given a system of recursive definitions fP = {P, ::= |™Lj /?/j}" =1 , the semantics of 
a recursive predicate P, is defined as follows: 

S,l \=sl PiiXj^l, . . . ,Xi jHi ) < > S,l \= s [ § t (x[ ; 1; • • • ,xf„.), for some f G ^(^P) (1) 

where l e (x?^) d = l(xij) for all / = 1 , . . . , n,-. 

Remark. Since the recursive predicate P(x) ::= Ely . x i-> y*P(y) does not have finite 
unfolding trees, the formula 3x.P(x) is unsatisfiable. □ 



Top Level Formulae. We are now ready to introduce the fragment of Separation Logic 
with Recursive Definitions (SLRD). A formula in this fragment is an existentially quan- 
tified formula of the following form: 3z . (p*P,j * ... *P;„, where (p is a basic formula, 
and Pf. are occurrences of recursive predicates, with free variables in PVarUz. The se- 
mantics of an SLRD formula is defined in the obvious way, from the semantics of the 
basic fragment, and that of the recursive predicates. 

Example. The following SLRD formulae, with PVar = {root, head}, describe both the 
set of binary trees with parent pointer and linked leaves, rooted at root, with the leaves 
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linked into a list pointed to by head. The difference is that q>i describes also a tree 
containing only a single allocated location: 

(pi = tll(root , nil, head, nil) 

92 = 3l,r,x.root H> (/, r,nil,nil) *tll{l, root , head, x) *tll(r, root ,x, nil) □ 

We are interested in solving two problems on SLRD formulae, namely satisfiability and 
entailment. The satisfiability problem asks, given a closed SLRD formula 9, whether 
there exists a state S such that S \= s i 9. The entailment problem asks, given two closed 
SLRD formulae (pi and 92, whether for all states S, S \= s i (pi implies S \= s i 92- This is 
denoted also as (pi \= s i 92- For instance, in the previous example we have 92 \=sl 9i> 
but not 91 hv/ <P2- 

In general, it is possible to reduce an entailment problem 91 |= 92 to satisfiability of 
the formula 91 A -192. In our case, however, this is not possible directly, because SLRD 
is not closed under negation. The decision procedures for satisfiability and entailment 
is the subject of the rest of this paper. 

3 Decidability of Satisfiability and Entailment in SLRD 

The decision procedure for the satisfiability and entailment in SLRD is based on two 
ingredients. First, we show that, under certain natural restrictions on the system of re- 
cursive predicates, which define a fragment of SLRD, called SLRDt, tw , all states that 
are models of SLRD/, rw , formulae have bounded tree width (Def. 2). These restrictions 
are as follows: 

1 . Progress: each rule allocates exactly one variable 

2. Connectivity: there is at least one selector edge between the variable allocated by a 
rule and the variable allocated by each of its children in the unfolding tree 

3. Establishment: all existentially quantified variables in a recursive rule are eventu- 
ally allocated 

Second, we provide a translation of SLRD i, tw formulae into equivalent MSO formulae, 
and rely on the fact that satisfiability of MSO is decidable on classes of states with 
bounded tree width. 

3.1 A Decidable Subset of SLRD 

At this point we define the SLRDhtw fragment formally, by defining the three restrictions 
above. The progress condition (1) asks that, for each rule R in the system of recursive 
definitions, we have head(R) = a ^ ({$1, ... ,{$„), for some variables oc,Pi,...,p„ £ 
Var s i. The intuition between this restriction is reflected by the following example. 

Example. Consider the following system of recursive definitions: 

ls(x,y) ::— x n> y 3z,t . x t-> (z,nil) *t t— > (nil,y) * ls{z,t) 

1 2 

The predicate ls(x,y) defines the set of structures {x(— >) n z n> t (— >) n y n > 0}, which 

clearly cannot be defined in MSO. □ 
The connectivity condition (2) is defined below: 



9 



Definition 4. A rule R of a system of recursive definitions, such that head(R) = a M> 
(Pi,...,P„) andtail(R) = (P^ (yi), . . . ,P< m (y m )), m>\, is said to be connected if and 
only if the following hold: 

- for each j = 1 , . . . ,m, (yj) s = p', for some 1 < s < ni jt where is the number of 
parameters ofP-^ 

- Pi = P' occurs in pure(R)*, for some 1 < t < n 

- the s-th parameter Xi jS ofPtj is allocated in the heads of all rules ofPij. 

In this case we say that between rule R and any rule Q of Pj., there is a local edge, 
labeled by selector t. f{R,j,Q) Q Sel denotes the set of all such selectors. If all rules 
of (P are connected, we say that (P is connected. 

Example. The following recursive rule, from the previous til predicate, is connected: 

3l,r,z ■ x i-> (l,r,p,nil) *tll(l,x,leafi,z) *tll(r,x,z,leaf r ) (R2) 

R2 is connected because the variable I is referenced in R2 and it is passed as the first 
parameter to til in the first recursive call to til. Moreover, the first parameter (x) is 
allocated by all rules of til. R2 is connected, for similar reasons. We have J r (R2, 1,^2) = 
{l}andy(P 2 ,2,P 2 ) = {2}. □ 
The establishment condition (3) is formally defined below. 

Definition 5. Let P{x\ ,x n ) — \ J =x Rj(x\ ,x n ) be a predicate in a recursive system 
of definitions. We say that a parameter Xj, for some i= 1 , . . . , n is allocated in P if and 
only if for all j = 1 , . . . , m: 

- either xi is allocated in head(Rj), or 

- (i) tail(Rj) = (P h (yi),...,P ik (y k )), (iij (y e ) s = xi occurs in pure {Rj)*, for some 
1= 1 , . . . , k, and ( Hi) the s-th parameter ofPi t is allocated in Pi e 

A system of recursive definitions is said to be established if and only if every existentially 
quantified variable is allocated. 

Example. Let llextra(x) ::= x i-> (nil, nil) \ 3n,e. x i-> (n,e) * llextra(n) be a recursive 
definition system, and let (j) ::~ llextra(head), where head G PVar. The models of the 
formula (j) are singly-linked lists, where in all locations of the heap, the first selector 
points to the next location in the list, and the second selector is dangling i.e., it can 
point to any location in the heap. These dangling selectors may form a squared grid of 
arbitrary size, which is a model of the formula (j). However, the set of squared grids does 
not have bounded tree width [18]. The problem arises due to the existentially quantified 
variables e which are never allocated. □ 
Given a system ¥ of recursive definitions, one can effectively check whether it is 
established, by guessing, for each predicate P/^i, . . . ,*;,n ; ) of <P, the minimal set of 
parameters which are allocated in P,, and verify this guess inductively 3 . Then, once the 
minimal set of allocated parameters is determined for each predicate, one can check 
whether every existentially quantified variable is eventually allocated. 

3 For efficiency, a least fixpoint iteration can be used instead of a non-deterministic guess. 
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Lemma 2. Let T = {P ( - : : = | ™L j /?y 1 , . . . , x^ ni ) }* =1 fee a established system of recur- 
sive definitions, and S = (s,h) be a state, such that S,l \= s [ Pi(x^\, . . . ,x,> ; ) /or .some 
interpretation l : LVar s i -^fi n Loc and some 1 < i < k. Then tw(S) < ||2'|| var - 

The result of the previous lemma extends to an arbitrary top-level formula: 

Theorem 2. Let T = {Pi " = I7=1 Rij(x^\, . . . ,*;,«,■ )}f = i be a established system of re- 
cursive definitions, and S = (s,h) be a state, such that S \= s i 3z . (p(yo) *Pi t (yi) * • • • * 
Pi„ (y»). where (p is a basic SL formula, and Pi - are predicates of'P, and y; C z, for all 
j = 0,l,...,n. Thentw(S) < max(||z||, |(p|, ||f Var||, ||!P|| va '"). 

4 From SLRD few to MSO 

This section describes the translation of a SL formula using recursively defined predi- 
cates into an MSO formula. We denote by YI(Xq, . . . the fact that Xq, . . . ,X; is a 
partition of X, and by T.(x,X) the fact that X is a singleton with x as the only element. 

4.1 Converting Basic SL Formulae to MSO 

For every SL logical variable x G LVar s i we assume the existence of an MSO logical 
variable x G LVar ms0 , which is used to replace x in the translation. For every program 
variable u G PVar\ {nil} we assume the existence of a logical variable x^ G LVar mso . 
The special variable nil G LVar s [ is translated into x^i G LVar mso (with the associated 
MSO constraint null(x^u)). In general, for any pointer or logical variable a G Var s i, we 
denote by a, the logical MSO variable corresponding to it. 

The translation of a pure SL formula a = p, a ^ P, K\ A K2 is a = P, -i(a = P), 
Ttl A K2, respectively, where 7t(aT, . . . , ajt) is the translation of Jt(oci , . . . , a^). Spatial SL 
formulae o(ai , . . . , a^) are translated into MSO formulae o(aT, . . . ,Ok,X), where X is 
used for the set of locations allocated in o. The fact that X actually denotes the domain 
of the heap, is ensured by the following MSO constraint: 

\\Sel\\ 

Heap(X)=\fx \f (By . edgei(x,y)) <+X(x) 

!=1 

The translation of basic spatial formulae is defined by induction on their structure: 

emp(X) = Vx . -X(x) 

(q^(pi ,...,p„"))(X) =S(q,X) A /\Uedge,QB,fy) A aEIiVx . -vdgefax) 
(01 *o 2 )(X) = 3Y3Z . oT(T) A oi(Z) A n(Y,Z,X) 

The translation of a closed basic SL formula (p in MSO is defined as 3X . cp(X), where 
(p(X) is defined as (jtAo)(X) =7tAa(X), and (3x . (pi)(X) = 3x . q>i(X). The following 
lemma proves that the MSO translation of a basic SL formula defines the same set of 
models as the original SL formula. 
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Lemma 3. For any state S= (s, h), any interpretation x : LVar s i ^-fi n Loc, and any ba- 
sic SL formula (p, we have S,l \= s i (p if and only ifS,T,v[X <— dom(h)] \= mso <${X) A 
Heap(X), where I : LVar mso ~^fi„ Loc is an interpretation of first order variables, 
such that l(x u ) — s(u), for all u £ PVar, and l(x) = l(x), for all x £ LVar s i, and V : 
LVar mso —^fin 2 Lot is any interpretation of second-order variables. 

4.2 States and Backbones 

The rest of this section is concerned with the MSO definition of states that are models of 
recursive SL formulae, i.e. formulae involving recursively defined predicates. The main 
idea behind this encoding is that any part of a state which is the model of a recursive 
predicate can be decomposed into a tree-like structure, called the backbone, and a set 
of edges between the nodes in this tree. Intuitively, the backbone is a spanning tree that 
uses only local edges. For instance, in the state depicted in Fig. 3(b), the local edges are 
drawn in solid lines. 

Let Pk{x\,...,x n ) be a recursively defined predicate of a system T, and 5,1 \= s [ 
Pk(xi,- ■ ■ ,x n ), for some state S = (s,h) and some interpretation I : LVar s i — > Loc. Then 
S,l \= s i where / £ %(^P) is an unfolding tree, <p, is its characteristic formula, and p : 
dom(f) — > dom(h) is the bijective tree that describes the allocation of nodes in the heap 
by rules labeling the unfolding tree. Recall that the direction alphabet of the system T is 
2)(fP) = { — 1,0,...,N— 1}, where is the maximum number of predicate occurrences 
within some rule of T, and denote 2?+(fP) = 2)(fP) \ { — 1}- For each rule Rjj in T and 
each direction d £ D(f£), we introduce a second order variable Xf- to denote the set 
of locations t such that (i) t{yT l {t)) = Rij and (ii) p~ l (l) is a d-th child, if d > 0, or 
j-T l {l) is the root of t, if d = — 1. Let X be the sequence of Xjj variables, enumerated 
in some order. We use the following shorthands: 

x y (*)= v 4« V M*) V 4w 

keD(T) l<i<m,- \<j<mj 

to denote, respectively, locations that are allocated by a rule Rij (Xif), by a recursive 
predicate P, (X,), or by a predicate P„ who are mapped to a fc-th child (or to the root, if 
k= —1) in the unfolding tree of T, rooted at i (Xf). 

In order to characterize the backbone of a state, one must first define the local edges: 

local-edgef jpq (x,y) = f\ se jr( Rij4 , Rpq) edge s {x,y) 

for all d £ ( D+( ( P). Here J (Rij,d,R pq ) is the set of forward local selectors for direc- 
tion d, which was defined previously - notice that the set of local edges depends on 
the source and destination rules /?y and R pq , that label the corresponding nodes in the 
unfolding tree, respectively. The following predicate ensures that these labels are used 
correctly, and define the successor functions in the unfolding tree: 

succ d {x,y, X*) = V Xij(x) A X^ q (y) A local_edgef jpq {x,y) 

1 < i,p < M 
1 < j < nij 
1 < q < m p 
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for all d g < D+{ ( P). The definition of the backbone of a recursive predicate P, in MSO 
follows tightly the definition of the unfolding tree of T rooted at i (Def. 3): 

backbonei(r,lt,T) = tree{r,X,T) A X^ l {r) A succJabels{X) 

where tree(r, X, T) defines a tree 4 with domain T, rooted at r, with successor functions 
defined by succq, . . . ,succn-\, and succJabels ensures that the labeling of each tree 
position (with rules of fP) is consistent with the definition of T: 

succJabels{X) = A X-ij (*) -> A^'lo' ^ ■ Cy) A succ d {x,y, X) 

where we suppose that, for each rule /?y of T, we have head(Rij) = a H> (p 1; . . . , p^ ) 
and tail(Ru) = (P^ , • • • ,Pk r ..)> f° r some ry > 0, and some indexing k\,.. .,k rjj of pred- 
icate occurrences within Rjj. The last conjunct ensures that a location allocated in 
Rij does not have more outgoing edges than specified by head(Rij). This condition is 
needed, since, unlike SL, the semantics of MSO does not impose strictness conditions 
on the number of outgoing edges. 

4.3 Inner Edges 

An edge between two locations is said to be inner if both locations are allocated in the 
heap. Let /j be the bijective tree defined in Sec. 4.2. The existence of an edge I A- £' in 
S, between two arbitrary locations £,£' g dom(h), is the consequence of: 

1. a basic points-to formula a4 (pi , . . . , (3^ , . . . , p„) that occurs in /u(£) 

2. a basic points-to formula yn> (...) that occurs in /li(£') 

3. a path pi{£) =p\,p2,.. -^Pm-iiPm =A*CO m f ' sucn tnat tne equalities p£' = 8£ 2 = 
• • • = &m'-i = y Pm are a ^ logical consequences of (j) r , for some tree positions 
P2t-- ,Pm-\ S domit) and some variables 82, . . . ,5 m _i £ LVar s i. 

Notice that the above conditions hold only for inner edges. The (corner) case of edges 
leading to dangling locations is dealt with in Appendix 4.5. 

Example. The existence of the edge from tree position 00 to 01 in Fig. 3(b), is a conse- 
quence of the following: (l)x 00 ^ (ni^ni^p^Jeajf ), (2)x 01 ^ {nil, nil, p 01 , leaf? 1 ), 
and (3) lea f° = z° = lea ff l = x 01 . The reason for other dashed edges is similar. □ 
The main idea here is to encode in MSO the existence of such paths, in the unfolding 
tree, between the source and the destination of an edge, and use this encoding to define 
the edges. To this end, we use a special class of tree automata, called tree-walking 
automata (TWA) to recognize paths corresponding to sequences of equalities occurring 
within characteristic formulae of unfolding trees. 

4 For space reasons this definition is deferred to Appendix A. 
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Tree Walking Automata Given a set of tree directions <D = {-1,0, . . . ,N} for some 
N > 0, a tree-walking automaton 5 , is a tuple A = (L,Q,qi,qf,A) where E is a set of 
tree node labels, Q is a set of states, qi,qf G Q are the initial and final states, and 
A : Q x (EU {roof}) x (EU {?}) ->■ 2 Q x (® u { £ » is the (non-deterministic) transition 
function. A configuration of A is a pair (p,q), where p G T>* is a tree position, and 
q G Q is a state. A run of A over a E-labeled tree f is a sequence of configurations 
(pi,qi),. . . ,{p n ,q n ), with pi,...,p„ G domif), such that for all z = l,...,n— 1, we 
have p i+ i = pj.k, where either: 

1. p i ^eand{q i+ i,k)GA{q i ,t(pi),t(p i .{-l))),foTkG'Du{e} 

2. pi = eand {q i+ \,k) G A(g,-,a, ?), for O G {t {pi) Uroot } and k G £>U{e} 

The run is said to be accepting if gi = qu p\ = e and q n =qf. 

Routing Automata For a system of recursive definitions 'P = . . . ,.*;,«,•) ::= 

l^i^foi,-..,*/,/,,-)}*^ we define the TWA Ay = (E^gy,?;,?/^), where Ey = 
| 1 < i < k, 1 < j < m u k G (D{<2)}, Q? = {q v x ar \ x G LVar sl } U {qf \ s G Se/} U 
{qi 7 q/}- The transition function Ay is defined as follows: 

1. (qi,k),(qf,e) G A(^-,0,t) for all k G £>+(!P), all s G Sef and all O G Ey U {roof}, 
X G Ey U {?} i.e., the automaton first moves downwards chosing random directions, 
while in qi, then changes to q f 1 for some non-deterministically chosen selector s. 

2. {qff,e) G A{qf ',/?£•, t) and ( 9/ ,e) G A(< r ,flf ; .,x) for all k e £>(2>) and xeEyU 
{?} if and only if head(Rif) = a i-> (pi , . . . , p. s , . . . , p m ), for some m > i.e., when 
in ', the automaton starts tracking the destination p. s of the selector s through the 
tree. The automaton enters the final state when the tracked variable a is allocated. 

3. for all k G all £ G 2)(fP) and all rules R tq of P e (x e i, . . . ,xt„ ( ), we have 
{q™,k) G A( 9 ^,^,x), for all x G Ey U {?}, and (^,-lj G A^R^R'j) ^ 
and only if tai^Rij)^ = Pe(yi ,yn e ) i- e -> the automaton moves down along the k- 
th direction tracking xej instead of yj, when the predicate Pe(y) occurs on the k-th 
position in Rjj. Symmetrically, the automaton can also move up tracking yj instead 
of xej, in the same conditions. 

4. (q v f \e) G A« r ,/^.,x) for all k G t D('P) and all x G Ey U {?} if and only if a = 
P occurs in pure(Rif) i.e., the automaton switches from tracking a to tracking p 
when the equality between the two variables occurs in while keeping the same 
position in the tree. 

The following lemma formalizes the correctness of the TWA construction: 

Lemma 4. Given a system of recursive definitions ( E, and an unfolding tree t G *2;(fP) 
of T, rooted at i, for any x,y G LVar s i and p,r G dom(t), we have \= s i §t — > x p = y r if 
and only if A? has a run from {p,ql ar ) to (r 1 q v y ar ) over t, where § t is the characteristic 
formula oft. 

5 This notion of tree- walking automaton is a slightly modified but equivalent to the one in [3]. 
We give the translation of TWA into the original definition in Appendix B. 
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To the routing automaton Ay corresponds the MSO formula <fr A , F (r, X , T, Y ), where 
r maps to the root of the unfolding tree, X^ is the sequence of second order variables 

defined previously, T maps to the domain of the tree, and Y* is a sequence of second- 
order variables X q , one for each state q £ Q$. We denote by Y s s el and Yf the variables 
from Y* that correspond to the states q s f and qj, for all s £ Sel, respectively. For space 
reasons, the definition of <P AlJ , is given in Appendix C. With this notation, we define: 

inner jedges(r, x\ T) = VxVy /\ 3 Y* . <t> Ap (r, x\ T, ~f) Arf'(i) AT/(y) -> 



4.4 Double Allocation 

In order to translate the definition of a recursively defined SL predicate P(x\ ,x n ) 
into an MSO formula P, that captures the models of P, we need to introduce a sanity 
condition, imposing that recursive predicates which establish equalities between vari- 
ables allocated at different positions in the unfolding tree, are unsatisfiable, due to the 
semantics of the separating conjunction of SL, which implicitly conjoins all local for- 
mulae of an unfolding tree. A double allocation occurs in the unfolding tree t if and 
only if there exist two distinct positions p,q £ dom(t) and: 

1. a basic points-to formula ai-> (...) occurring in t(p) 

2. a basic points-to formula p M> (...) occurring in t(q) 

3. a path p = p\ , . . . ,p m = q in t, such that the equalities a p = Yj 2 = . . . = Y^T/ = P 9 
are all logical consequences of f , for some tree positions p2, ■ ■ ■ ,p m -i £ dom(t) 
and some variables Y2, ■ ■ ■ ,Ym-i £ LVar s i 

The cases of double allocation can be recognized using a routing automaton = 
(L«P,2^„#j,#/,Aip), whose states Q' T — {q™ r \ x £ LVar s [}li{qo,qi,qf} and transitions 
differ from Ay only in the following rules: 

- (qo,s) £ A(qi,o,z) for all a £ Ey U {root} and all x £ Ey U {?}, i.e. after non- 
deterministically chosing a position in the tree, the automaton enters a designated 
state qo, which occurs only once in each run. 

- « r ,e) £ A(q ,Rfj,t) for all k £ <D{$) and all x £ Ey U {?} if and only if 
head(Rij) = ohj(...), while in the designated state qo, the automaton starts track- 
ing the variable a, which is allocated at that position. 

This routing automaton has a run over t , which labels one position by qo and a distinct 
one by q/ if and only if two positions in t allocate the same location. Notice that B<p 
has always a trivial run that starts and ends in the same position - since each position 
p £ dom(t) allocates a variable a, and (qi,e),. . . , (qo,p), (q™ r ,p), (?/>/>) is a valid run 
of Brp. The predicate system has no double allocation if and only if these are the only 
possible runs of By. 

The existence of a run of By is captured by an MSO formula ^^(r, X,T, Y), 
where r maps to the root of the unfolding tree, X is the sequence of second order vari- 
ables Xf, defined previously, T maps to the domain of the tree, and Y* is the sequence 
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of second-order variables Y q , taken in some order, each of which maps to the set of 
tree positions visited by the automaton while in state q <EQ' T - we denote by Yq and Yf 

the variables from Y that correspond to the states qo and qf, respectively. Finally, we 

define the constraint: no .double Mlloc(r, X , T) = V . <&b v (r,X,T, Y) -*Yo = Yf 

4.5 Handling Parameters 

The last issue to be dealt with is the role of the actual parameters passed to a recursively 
defined predicate Pi{x^\ , . . . , jc,-^) of <P, in a top-level formula. Then, for each parameter 
Xij of Pi and each unfolding tree t e there exists a path e=pi,...,p m G dom(t) 

and variables OCi , . . . ,0C m € LVar s [ such that x, j = ai and <Xp l = OC^ 1 is a consequence 
of § t , for all I = 1,. . . ,m — 1. Subsequently, there are three (not necessarily disjoint) 
possibilities: 

1. head(t(p m )) = a m >->■(. . .), i.e. a m is allocated 

2. head(t(p m )) = P i->- (yi, . . . ,y p , . . . ,y^), and a m = y p , i.e. a,„ is referenced 

3. a m =x^ q and p m = e, for some 1 < q < k, i.e. a m is another parameter %i, q 

Again, we use slightly modified routing automata (one for each of the case above) 
Cf^ — (L<p,Q'^ 7 qi,qf 7 Ac J ) for the cases c = 1,2,3, respectively. Here glp = {q l x ar I x e 

LVar s ,} U {qf \ s G Sel} U | 1 < a < k} U {q h q f } and A^, c = 1,2,3 differ from 
the transitions of Ay in the following: 

- (<? IJ ,e) G A'/ (qi,root,1), i.e. the automaton marks the root of the tree with a des- 
ignated state q' -i, that occurs only once on each run 

- (q™ r ,£) G A'x J (q l, i jRfc 1 ,7), for each rule /?# of P„ i.e. the automaton starts tracking 
the parameter variable xtj beginning with the root of the tree 

- (q f ,£) G A\ j {q™ r ,R k ip %), for all G 2>(fP), xeEyU {?} iff head{Rij) = 0C •->•(... ) 
is the final rule for Cy j 

- {qf ',£) e A^ J (q^ r ,R^j,x), for all k G 2)(fP) and xeE f U {?} iff head{R i} ) =a^ 
(Pi,...,Pj,...,P„) and y= p s i.e., gf' is reached in the second case, when the 
tracked variable is referenced. After that, C'^ J 2 moves to the final state i.e., (#/,£) G 
A^ j (qf l ,o,x) for all s G Sel, all oeE f U {roof} and xeEj>U {?} 

- (tf i,a ,e) G A\ J '(q™, root, 7) and (tf/,e) G '(<?<>, roof ,?), for each 1 < a < A: and 
o^j i.e., are the final moves for Cp 3 

The outcome of this construction are MSO formulae 3> (r, X*, T, Y"), for c = 1 , 2, 3, 

L rp,c 

where r maps to the root of the unfolding tree, respectively, X* is the sequence of second 
order variables Xjj defined previously, T maps to the domain of the tree, and Y^ is 
the sequence of second order variables corresponding to states of Q'^ - we denote by 
Yf, Y'' a , Y* el G Y^ the variables corresponding to the states qf, q' a , and qf 1 , respectively. 
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The parameter x, j of P, is assigned by the following MSO constraints: 

paramj :{r,lt,T) = 3^ . 4> A I^ J (jcy) A Vy . T/(y) "> *U = ? 

paramlj(r, X ,T) = 3V . 4> ,, 7 A y^fo,-) A A seSel Vy . Y* el (y) ^ edge^Xij) 

paramlj(r,X,T) = BY . 4> c ^ A ^(Sy) A Ai< a <*Vy . -»■ = x i<a 

where 5c,-j is the first-order MSO variable corresponding to the SL parameter xy. Fi- 
nally, the constraint pararriij is conjunction of the param\ -, c = 1,2,3 formulae. 

4.6 Translating Top Level SLRD faw Formulae to MSO 

We define the MSO formula corresponding to a predicate Pj(xj t i,. . . ,*,>,), of a system 
of recursive definitions T = {P\ , . . . ,P„}: 

Pi(xij,...,Xi Mn T) = 3r3lt . backbone ,(r, X ,T) A inner^edges(r,lt,T) A 
no .double jilloc(r^iL ,T) A /\i<j< ni P aram ij( r > X,T) 

The following lemma is needed to establish the correctness of our construction. 

Lemma 5. For any state S = (s,h), any interpretation I : LVar s [ —>fi n Loc, and any 
recursively defined predicate Pi{x\ , . . . ,x n ), we have 5,1 \= s i Pi{x\ , . . . ,x n ) if and only 
if S,l,v[T ^— dom(h)] \= mso P,(xf, . . . ,xj, T) AHeap(T), where x : LVar mso —^ftn Loc is 
an interpretation of first order variables, such that l(x u ) — s(u), for all u € PVar, and 
I(x) = l (x), for all xG LVar s i, and V : LVar mso -^fl n 2 Loc is any interpretation of second- 
order variables. 

Recall that a top level SLRD^ W formula is of the form: cp = 3z . (j)(yo) *^ > / 1 (yi) * 
• --Pikiyk), where 1 < i\, . . . ,4 < n, and y 7 C z, for all j = 0, 1, . . . ,k. We define the 
MSO formula: 

= 3axb,...j . $(M,*b) a Wdn,^) a ... AW k (n,Xk) a n(x ,x u ...,x k ,x) 

Theorem 3. For any state S and any closed SLRDbtw formula (p we have that S \= s i (p 
if and only ifS \= mso . (p(X) A Heap(X). 

Theorem 2 and the above theorem prove decidability of satisfiability and entailment 
problems for SLRD by reduction to MSO over states of bounded tree width. 

5 Conclusions and Future Work 

We defined a fragment of Separation Logic with Recursive Definitions, capable of de- 
scribing general unbounded mutable data structures, such as trees with parent pointers 
and linked leaves. The logic is shown to be decidable for satisfiability and entailment, 
by reduction to MSO over graphs of bounded tree width. We conjecture that the com- 
plexity of the decision problems for this logic is elementary, and plan to compute tight 
upper bounds, in the near future. 
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A Definition of tree structures in MSO 

Let X = {X\,...,X m } define a set of tree labels. Given a direction alphabet T> = 
{— 1,0,..., AT}, we consider a set of (partial) successor functions Succ® = {succq, 
. . .,succn}- These functions can be encoded by MSO formulae succ d (x,y, X), and are 
supposed to satisfy the following constraint: 

Vx,y,z . f\ succ i(x,y) A succt(x,z) -> y — z 

A tree structure with root x, domain X and successor functions Succ® is defined by 
the MSO formula tree(r,X,T), which is the conjunction of n(X, T) and the following 
four MSO constraints: 

(A) x is the root of the tree: 

Vy.X(y)->- f\ -nsucc d (y,x,X) 

(B) successors are pairwise distinct: 

Vx,y,z ■ f\ succi(x,y,X) Asuccj(x,z,X) —ty ^ z 

0<i< j<N 

(C) each node except for the root has exactly one predecessor: 

Vy . x =^ y -> 3lz . \J succi{z,y) 

where 3! stands for the unique existential quantification 

(D) all nodes in X are reachable from x: 

closed (X) = Vy . X(y) A A; G ©+ 3z • suca(y,z) ->X(z) 
reach(x,X) = X(x) A closed (X) AVY . Y(x) A closed {Y) ^ X C Y 

The following lemma formalizes the correctness of this definition. 

Lemma 6. For any state S = (s,h) and interpretations x : LVar mso ~^fi„ Loc and V : 
LVar mso —*-fm 2 Loc such that \(r) G dom(h) and v(X ( ) C dom(h), for all i = 1, . . . ,m, 
andv(T) = dom(h), we have: 

S,l,V ^mso tree(r,X,T) 

if and only if there exists a unique prefix-closed set P C N* and two unique trees /j : P — > 
dom{h) and X : P —> {X\ , . . . ,X in \, such that /j is bijective, /j(e) = l(r), and: 

1. W £ dom(h) Md E D+ . S,l[x <- £] [y <- ju(e)],V \= mso ~^succ d (x,y, X*) 

2. \fp ePVde D + . S,l[x<-fi(p)]\y<-/i(p.d)],v \=ms succ d {x,y, X) p.deD 

3. v{Xi) = {£e dom(h) I ^(/i" 1 {(.)) = Xi} 
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Proof. "=>" Since 5,l,V \= mso n(X , T), we have that v(Xi), . . . ,v(X m ) forms a partition 
of dom(h). We define D, p and A, as the limits of the increasing sequences defined as 
follows. Let Pq = {e}, /jo = {(e,i(r))} and Ao = {(e,Xj)}, where j G {1,.. .,m} is the 
unique index such that i(r) G v(X/), and, for all i > 0: 

- P i+ i = P,- U {p.d | p G P u d G T>+,p.d g Pi, 31 G dom(h) . S,l[x <- w(p))\y ±- 

^],V \=mso SUCCd(x,y, 

*)} 

- m+\ = m u {(p.d, l) | p e Di,d e <D+,p.d g p, <- «(p)]b <- 4 V K«o 

succ^(x,y, X )}; notice that the choice of t is unique, because succj defines a partial 
function 

- ki+\ = XiU{(p,Xj) | pedom(p i+1 )\dom(pi), pi + i{p) ev(Xj)}, where; G{l,...,m} 
is the unique index such that (p) G v(X ; -) 

The sequences stabilize, because dom(h) is finite, and we define P = Uoo^i' A* = 
Ui>oJ u i an d ^ — UfxAi- Moreover juo(e) = l(r), hence ju(e) = l(r). The first condi- 
tion is satisfied as a consequence of point (A) in the definition of tree(r,X,T), and 
the second condition can be proved by induction on the definitions of P, and /j,. The 
fact that // is bijective is a consequence of points (B), (C) and (D) in the definition of 
tree(r,X,T). First, suppose that p is not one-to-one, i.e. there exist two distinct posi- 
tions p,q G dom(p) such that p(p) = p(q) = I. Since p ^ q, either: 

(i) p is a prefix of q, or viceversa 

(ii) there exist a position r such that r.d\ is a prefix of p and r.di is a prefix of q, for 
some<2i,<?2 G £>+, c/i 7^ ^2- 

In both cases we obtain a contradiction. Second, suppose that /a is not onto, i.e. there 
exists t G dom(h) such that ^ £, for all p G dom(p). But this is clearly in con- 
tradiction with point (D) above and the definition of D and /i. The third condition can 
be proved inductively on the definition of A;. Finally P, /a and A- are unique, since the 
choices at each step i > in the definition of P„ and A., are unique. This direction 
is an easy exercise. □ 

B Standard Tree Walking Automata 

We recall the standard definition of a TWA from [3]. Given a set of tree directions 
(D = { — 1,0, . . . ,N}, for some N > 0, a standard tree-walking automaton (STWA) is 
a tuple A s = (L,Q,qi,qf,A s ) where £ is a set of tree node labels, Q is a set of states, 
q u q f G Q are the initial and final states, and A s :gx(2) + U {roof}) x E -> 2 e x (^W) 
is the (non-deterministic) transition function. A configuration of A is a pair (p,q), 
where /? G 2)* is a tree position, and q G Q is a state. A run of A over a E-labeled 
tree t is a sequence of configurations (p\,q\), . . . , (p n ,q n ), with p\,...,p n G dom(t) 
and q\,...,q„ G Q, such that, for all i = 1, ...,« — 1, we have = /},-.£; for some 
k G £>U {e}, where either: 

1. pi = p.d for some p G 2)+, <f G £>+ and (qi + \,k) G A(qi,d,t(pi)) 

2. pi = e and {q i+ i,k) G A(q u root,t(pij) 
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The run is said to be accepting if q\ = qi, p\ = e and q n = qj, in which case we say that 
A accepts t . We denote by L(A) the set of trees accepted by a (S)TWA A. 

Lemma 7. For each TWA A = (E, Q,q t ,qf,A) there exists an STWA 
A s = (L,QUQ aux ,qi,qf,A s ) such that L(A) = L(A S ). 

Proof. For each rule in A we create a set of rules in A s , such that (pi,qi) A (p2-,qi) 

A + 

if and only if (pi,qi) -4 {p2,q2), i-e- we simulate the effect of a single step in A 
by a sequence of steps in A s . The construction of A s is done as follows. Let (qj,k) G 
A(^,',o,7t) be a transition rule of A. 

- if O = root and K =? then, for each x G E, we have (qj,k) G A s (q^root ,x) 

- if O G E and 71 =? then G A s (qj 7 root,a) 

- if a, Jt G E then, for each d G 2)+, we have the following sequence of rules: 

• (q\ d ,-l) G A s (q h d,a) 

• (qj d ,d) G A s (qj d ,e,n), for each e G T> + U {root} 

• (qj,k) S A s (qf d ,d,o) 

for two fresh states q\ m ,q\ m G g a „ x \ g. 

The following proofs are left as an easy exercise. 

1. each sequence of steps (pi,qi),- ■ ■ , (p n ,qn) of A corresponds to a unique sequence 
of steps of A s starting and ending in the same configurations 

2. each sequence of steps (p\,qi),..., (p n ,qn) of A., corresponds to a unique sequence 
of steps of A starting and ending in the same configurations 

□ 



C MSO encoding of Tree Walking Automata 

We consider a class of tree structures with successor functions Succp = {succi i G T> + } 
for some set of directions <D = {— l,0,...,N},N>0, with labels from the alphabet it = 
(X\ ,X m ) of second-order variables. These labels define a partition on the domain of 
the tree, i.e. we assume that the following constraint holds in what follows: 

tree(r,lt,T) 

We define the predecessor function succ-\ as follows: 

succ-i (x,y, ^) = \J succi(y,x,lt) 

Q<i<k 

Since the successors of a node in a tree are pairwise distinct, succ-i is a well-defined 
partial function. 

Let A = (X,Q, qi,q/, A) be a tree walking automaton, and let Q = {q\, . . . ,qk} be 
some arbitrary indexing of the set of states. W.l.o.g. we assume that no transition rule 
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in A originates in qf. Let Y = (Fi , . . . be a sequence of second-order variables, one 
for each state. First, we define a step {x 7 qi) — > (y,qj) of A on the tree, as follows: 

step(x,y,lt) = V Yi(x) A Yj(y) A X p (x) A succi<(x,y,lt) A 

(qj,k)£A(q i ,X p ,X q ) (x = r V 3z . 5MCC_ [ (x, Z, ^ ) AX,(z)) 

Any position on the run is reachable from the root r, with respect to the step relation: 
stepjclosed{X) = Vx,y . X(x) Astep(x,y, it) — >X(y) 

stepj-each(x,X) = X(x) AstepMosed(X) A VF . Y(x) Astepjrfosed(Y) -yicy 
The run R of A is defined by the conjunction of the following constraints: 

(A) R equals the union of Y\, . . . ,Fj i.e., each position in the run is marked by at least 
one state of the automaton 

(B) the root r of the tree is labeled with F, where F, is the second-order variable corre- 
sponding to the initial state qf. 

Yi(r) 

(C) the final position of Xf the run is labeled with Yf, where Yf is the second-order 
variable corresponding to the final state qf. 

Vy . -nstep(x f ,y,X)AY f (x f ) 

(D) every non-final position has a successor position in the run: 

R C T A step_reach(r,R) A Vx . x ^xj — > By . step(x,y,lt) 

The final formula <£>A{r, X ,T, Y) is obtained by conjoining the above constraints and 
existentially quantifying Xf and R. The following lemma formalizes the correctness of 
this construction: 

Lemma 8. For any state S = (s,h) and interpretations x : LVar mso -^fi n Loc and V : 
LVar mso -^ fin 2 Loc where \{r) 6 dom(h) and v(X;) C domih), for all i = 1, . . . ,m and 
v(T) = dom(h), such that: 

S,l,V ^ mso tree(r,lt,T) 

let PC N* andp : P — > dom(h), X:P^ {X\, X m } be the prefix-closed set and unique 

trees from Lemma 6. Then we have: 

if and only if A has a loop-free accepting run % over X such that v(F / ) = {/-i(p) \ p £ 
P and {p, qf) occurs on n}, for all j = l,...,k. 

Proof. "=>" From the definition of <t>A, we can construct a loop-free maximal path 
£o,£i,...,£ n in dom(h) such that: 

- i(r) = £ e v(F) and £„ e v(F/) 

- 5,l,v[x <- £(] [y <- £i+\] \=mso step(x,y, X ), for all ;' > 

- \Jj =1 V(Yj) = {eo,l U -,ln} 

Then e = fi -1 (£o) (£i) , ■ ■ ■ ,fi _1 (£ n ) is a path in P and A has a loop-free accepting 
run Jt : (p~ l {£o),qi), . . . , {p~ l {£ n ),qf) over A.. Moreover (£i),qj) occurs on the run 
if and only if 6 v(F / ). "<*=" This direction is left as an easy exercise. □ 
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D Routing Automaton Example 

Routing automaton for the tree with link leaves — predicate til from Section 2.2. There is 
only a single predicate til with two rules. The routing automaton is A,u = (L<p,Q,qt,qf,A), 
where 

- Lrp = #12,^1 1, #i2> R n> R n} 

-Q = {€ ar A7AZ fl ^iZ f A ar ^ ar AT r } u { q r',qf,qf,qf } u {<?„<?/} 

and A is defined as follows (the numbers corresponds to numbers in definition of 
routing automata): 

1 . - (q h k) , (qf 1 , e) , (qf , e) , (qf , e) , (qf , e) e A(q h a, x), a e I*,k e {0, 1 },x g u 

{?} 

2. - fo^.e) G A«»(9f' ,tf? 2 ,T),* G 2>(iP),T G E y U{?} 

- ( 9 ^,e) G A^^f ,*f 2 ,x),Jk G <D(T),% G E y U{?} 

- ( ? ™ r ,£)eA ini ,( ? f,o,x),oeEi,,TeEjU{?} 

- «; /r ,e) G A Wf ( 9 «',j?* 1 ,x),* G 2)(fP),x G Ej,U{?} 

- ( 9/ ,e) G A^.a.xJ.o e^xeE.u {?} 

3. - (q v x ar ,0)eA(q v l ar ,R k n ,x),ke<D(P),%eZvU{'!} 

- (qj ar ,—l) G A(^ ar ,a°,x),o G {/?n,/?i 2 },x G E^ 

- (<?r, 1) g A($?»-,j?* 2 ,t),* e e E s .u{?} 

- e A(<#"\a\x),o g {/?ii,/?i2},t e E* 

- (^,0), (^,1) G A^.Jjf-j.T),* G ©(!P),T G E* U {?} 

- e A(«7,a,x),o G E y ,x G E<p 

- (<C/ r >°)> e M/tiTA**)* e 2>(#),t £ Ey u {?} 

- ( 9 f , -1) e A(9}^ ,a',x),0 G {7?n,/?i2},T G E;p 

- (q v z ar ,-l) G A(^ /r ,a ,x),O G {J?ii,J?i 2 },T G Ej, 

- «; /; ,0) G A(qZ fi ,R\ 2 ,T),k G <D(<£\% G E y U {?} 
" (9)^ - 1 ) e A(9j^,o°,x),o G {J?n,J?i2},T G E y 

- (C^, 1) G A«; /r ,^ 2 ,x),fe G 2>(fP),X G E<p U {?} 

- (lZ fr - 1 ) e A (C^<^)>° g {*ii,*i2},t g E y 

4. - (^.EjeA^.fi},,!),* G 2)(2>),X G E y U{?} 

- ,e)GA(^,^i,x),A:G2)(fP),XGE fP U{?} 



E Missing Proofs 

Proof of Theorem 1: Each state S = (s,h) is both a vertex- and edge-labeled graph, in 
whose set of vertices is loc(S), vertices are labeled with pointer variables, and edges 
with selectors. There are three MSO-definable restrictions making the difference be- 
tweena states and arbitrary graphs: 

1 . each pointer variable u G PVar labels at most one location: 

p i = Vx.y . f\ var u (x) A var u (y) ->■ x = y 
uePVar 
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2. each edge leads to at most one location: 

P2 = Vx,y,z . f\ edge s (x,y) A edge s {x,z) -> y = Z 
seSel 

3. there exists a unique designated nil location with no outgoing edges: 

P3 = 3!xV>' . f\ ~^edge s {x,y) A Vz . nulliy) — > x = z 

seSel 

Hence the satisfiability problem for an MSO formula (p interpreted over states is equiv- 
alent to the satisfiability of the MSO formula (p A pi A P2 A P3 interpreted over arbitrary 
graphs. The latter problem is decidable, as shown, e.g. by Theorem 2.1 in [13]. □ 

Proof of Lemma 1 : Let (p = £ A II, where E and II are the spatial and pure parts of (p, re- 
spectivelly. First observe that dom(h) = {(s©i)(a) | a n> (. . . , P, . . .) occurs in £} and 
Img(h) = {(j0l)(P) 04 (...,P,...) occurs in £}. Hence |<p| = |£| > \\dom(h) Ulmg(h)\\. 
Moreover, we have that \\img(s)\\ < \\PVar\\. 

We define a tree decomposition of S as follows. Let P C N* be a prefix-closed set 
such that ||P|| = \\dom(h) UImg(h)\\ and 8 : {O.p p e P} U {e} -> 2 /ot '^ be a tree such 
that 8(0./?) = dom(h){JImg(h), for all 6 P and 8(e) = img{s) \ (dom(h)UImg(h)). 
It is easy to check that 8 satisfies the conditions of Def. 2. Also, ||8(0./?)|| < |(p|, for all 
/; ' /'. and ||8(e)|| < \\PVar\\ i.e., \\8(p)\\ < max! (p . /'V'(/r j. for all /? G dom(b). □ 

Proof of Lemma 2: By the definition of the semantics of recursive predicates, we have: 

S,l £ Kv/ <t>r(4i,...,4„ ; ) 

for some unfolding tree f S Observe that the only free variables of are xf j , . . . ,xf B; , 

the rest occurring under existential quantification. Let (j) f be the (matrix) formula ob- 
tained from (j) f by renaming each existentially quantified variable to a unique name, and 
forgetting the existential quantifiers. Also let i E : LVar dom ^ ^/ in Loc be an interpreta- 
tion such that: 

By the definition of the semantics of SL, such an interpretation must exist. Hence for 
each position p e dom(t), there exists a state S p = {s,h p ) such that: 

S p ,l £ \= s i head(t(p)) 

and, moreover ||Jom(/j„)|| = 1, since, by convention, head(t(p)) allocates exactly one 
variable. Consequently, there exists a bijective tree /j : dom{t) — > dom(h) such that, for 
all p £ dom(t), we have dom(h p ) = {/x(p)}. 

We define a tree decomposition 8 : dom(t) —5- 2 Loc as follows, for all positions po € 
dom(t), 5(po) contains only the following locations: 

(i) p(po) £ d(po) 

(ii) l(xij) G 8(po), for all 1 < < n; 
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(iii) if head(t(po)) = oc i-» (pi, . . . ,$ s ), for each u = 1, ... ,5 and each sequence P^° = 
. . . = y Pl of equalities occurring in such that head(t(p\)) allocates y, we have 
/j(pi) G S(p), for each position p within the sequence 

First, we prove that 8 is a valid tree decomposition (Def. 2): 

1. Let £ G loc(S) be a location. If £ G dom(h), then £ G 8((U _1 (^)) by point (i) above. 
If £ G Img(h)\dom(h), since !P is established, then ^ = i(jc,j), for some 1 < j < rij, 
by point (ii) above. Hence £ G S(/?), for all p G dom(8). Consequently loc(S) C 
UpGdom(8) 8(/>), and the other direction is trivial. 

2. Let l\ A £ 2 be an edge in S. Then £1 G <iom(/z) and l\ G S^ 1 ^)), b Y P oint & 
above. But £\ A £2 only exists because head(t([i~ x (£\))) = a M> (pi, . . . ,ps), and 

there exists a sequence p t f = ... = y* 1 of equalities occurring in (j) f , for 
some u = l,...,s, such that head(t(ii~ l (£2))) allocates y. By point (iii) above, we 

have^GS^- 1 ^!)). 

3. Let p,r G dom(d) be two distinct locations, q be on the path from p to r, and let 
£ G 8(p) n8(r). Then there are two possibilities. Either £ = l(x,j), for some 1 < 
j < fti, in which case £ G 8(g), by point (ii) above. Otherwise, the only remaining 
possibility is that both p and r are on a sequence of equalities a Pl = . . . = aC", 
and £ G Ht=i 8(/?;), c f- point (iii) above. But in this case q must be one the same 
sequence, hence £ G 8(g). 

Finally, we prove that ||8(p)|| < \\'P\\ var , for all p G dom(d). Let ^ G 8(/?) be a location. 
There are two reasons for £ G ?>(p): 

- £ = l(xij), for some j = 1 , . . . , «,-, cf. point (ii) above 

- £ = l £ (a p ), where a is an existentially quantified variable that occurs within t (p), 
cf. points (i) and (iii) above 

Hence || 5(p) || may not exceed the maximum number of variables that occur either free, 
or existentially quantified, within t (p) . □ 

Proof of Theorem 2: Lett : LVar s i -^f in Locbe an interpretation, and So — {sq,Iiq),Si = 
(si,h\),. ..,S n — {s ni h n ) be states such that: 

So, 1 \=sl <P 

Si, 1 K/ p h 

SnA \=sl Pi n 

and S = So WSi W ... tt)5„. By Lemma 1, tw(So) < max(|(p|, ||PVar||), and by Lemma 

2, fw(S;) < ||fP|| var , for all i = 1 , ,n. Hence there exist prefix-closed sets P, and tree 

decompositions 8, : P, — > loc(Si) of 5„ for all i = 0, 1 , . . . , n, respectivelly. 

We define the prefix-closed set P = {i.p | i = 0, 1, . . . ,n, p G P,} U {e} and a tree 
decomposition 8 of S as follows. Let 8(e) = {l(x) x G z} and 8(/./?) = 8,(77), for all 
/? G P„ and i = 0, 1 , . . . ,n. Let us first check that 8 meets the conditions of Def. 2. The 
first point follows from the fact that loc(S) — \J1 =0 loc(Si), and loc(Si) = [JpePj S/(p), 
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for all i = 0, 1, . . . ,n. Second, let I A- m be an edge in S. Then I G dom(hi), for some i = 

0,l,...,n, and therefore m G Img(hi). Hence there exists G P, such that l,m G 5,(p). 
Third, let q G P be on a path from p to r, with p,r GP. We distinguish two cases: 

- q = E, p = i.p' and r = j.r', with p' G P and r' G P ; , < i < j <n. Then 8(p) n 
8(r) C {i(jc) | x G z} = S(?) 

- q = i.q', q' G P„ and /? = /.//, r = ;.r' for some i = 0, 1, . . . ,n. Then 8f(p / )n8,-(r / ) C 
8,(#') by the fact that 8; is a tree decomposition of 5,-, and hence 5(p) (1 8(r) C 5(q) 

Finally, ||8(0./?)|| < max(|(p|, ||^»Var||) for all p G P , ||8(i»|| < ||P|| V< "' for all p G P, 
i= and ||8(e)|| < ||z||. Hence \\8(p)\\ < max(||z||, |<p|, \\PVar\\, \\<P\\ var ), for all 

p G dom(8). □ 

Proposition 1. For any state S — (s,h) and any interpretations x : LVar mso —^fm Loc 
and V : LVar mso —^fin 2 Loc of the first- and second-order variables, respectively, we 
have S,l,V \=mso Heap(X) v(X) = dom(h). 

Proof. By definition of Heap(X), v(X) is the set of locations I G Loc such that h s (£) ^ 
L, for some s = 1 , . . . , |Se/||. But this is exactly the definition of dom(h), by Def. 1. □ 

The following lemma says that an MSO formula obtained as a translation of a basic 
spatial SL formula is true in a state S if and only if it is true on any extension of S. 

Lemma 9. Let o be a basic spatial SL formula, S = (s, h) be any state, x : LVar mw —^fi n 
Loc, V : LVar mso — >y (n 2 Loc be interpretations of first and second-order variables, respec- 
tively. Then, for any state S', such that S W S' is defined, we have: 

S,X,v[X i- dom(h)\ [=msoO(X) SWS',l,v[X <- dom(h)} \=„ m) a(X) 

Proof. By induction on the structure of o. □ 

Proof of Lemma 3: By induction on the structure of (p. The most interesting case is the 
separating conjunction, i.e. (p = Oi * a 2 for two spatial SL formulae 0\ and a 2 . 

"=>" 5,1 \= s i Oi *G 2 if and only if there exist two states S\ = (s,h\) and S 2 = (s,h 2 ) 
such that S{, l \= s i Oi, for both i = 1,2 and S = S\ WS 2 . By the induction hypothesis 
we have that Sj,X,v[Yi 4— dom(hi)] \=mso G~i(Yi) AHeap(Yi), and by Lemma 9, we have 
5] WS 2 ,T,v[I; 4- domihi)] \= mso aftYj), for both i = 1,2. Hence: 

Si WS 2 ,T,v[Fi <- dom{hi)][Y 2 <- dom{h 2 )] \= mso oT(Ti) A02"(T 2 ) 

Si &S 2 ,l,v[X <~ dom(hi)Udom{h 2 )} K«» 3Ti3T 2 • oT(Ti) Aol{Y 2 ) AU{Y h Y 2 ,X) 
Si HlS 2 ,l,y[X 4- dom(hi)\Jdom(h 2 )} \= mso <p(X) 

By Proposition 1, we obtain further: 

Si WS 2 ,T,v[X 4- dom(hi)Udom(h 2 )] \= mso Heap(X) 
hence S,x,v[X 4- dom(h)} \= mso y(X) AHeap(X). 

If S,l,\[X 4- dom(h)} \= ms0 3Ti3T 2 • oT(Ti) A 0^(Y 2 ) A U(Y h Y 2 ,X) AHeap(X), 
then there exists two sets of locations, call them Li and L 2 , such that Li C\L 2 = and 
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L\ UL2 = dom(h), such that S,r,v[Y; <- Li] \= mso aj(y)), for both i = 1,2. Let /ti and 
^2 be the restrictions of /? to L\ and L2, respectivelly, and define S,- = (s,hi), for both 
;' = 1,2. Clearly Si WS2 = S. By Lemma 9 we have S,-,T,v[Yi 4- dom(h[)] ^ mso oftYi). 
By Proposition 1 we have, moreover that Si,l,v[Yi <— dom(hij\ \= mso Heap(Yi), for both 
i = 1,2. Applying the induction hypothesis, we obtain S;,l |=. s / a„ for both i = 1,2, 
hence S,l \= s i (p. □ 

Proof of Lemma 4: The proof relies on the following claim: 

Claim. For any two positions p, r G dom(t) such that either (i) /? is a child of r, (ii) r is 
a child of p, or (iii) p = r we have: 

x p = y r occurs in (j) r Ay moves in one step from (p,ql ar ) to (r,q v y ar ) 

Proof. We give the proof for the second case, the rest of the cases being similar. Assume 
that r = p.k, for some k G ( D+{ ( P). "=>" By the definition of (j) r , x p = y p,k occurs in 
(j)f only if t(p) =Rij, {tail(Rij)) k = Pi k {y\ , • • • ,y„ ik )> where Pi k (x ik ,i, . . . ,Xi t , B(t ) is the 
corresponding definition in x = x^t, and y = yg, for some £ = 1, . . . In this 
case we have (q™ e ,k) £ K{q\J ^x), for all s G Z>(5») and all T£E f U {?}, and the 

conclusion follows. "<*=" By definition, Ay has a transition rule (q v " r ,k) G A(^ ar ,a' 5 ,x) 
for an s G 2)(fP) only if o = (tail(Rij)) k = Pe(yi 7 • • • >yn/ )> y = an d * = }>j, for 
some 7 = 1 In this case, the equality x p = y r occurs in (j)f . □ 

"=>" x p = y r is implied by (j) r only if there exists a path p=/?i,...,/?„ = rin dom(t), 
and variables x = zi,Z2, • • • ,z n -\,z n LVar s i, such that zf' = z£j_Y occurs in ( , for 
all i = 1,. . . ,n — 1. By the above claim, Ay has a run from (p,ql ar ) to (r,q™ r ) along 
this path. If Ay has a run from (p,ql ar ) to {r,q v y " r ) over f, there exist a sequence of 
positions p = pi,p2, ■ ■ ■ ,Pn-i,Pn =?6 dom(t) and variables x = zi ,Z2, . . . ,z n -i,Z n = y 
such that Ay moves in one step from {pi,q v z f) to (Pi+i, By the above claim, there 
exist equalities zf ! = z^Tj 1 occurring in f , hence x p = y r is a consequence of (j) r . □ 

Proof of Lemma 5: "=>" If S,l |= s ; , . . . ,x„) then S,l |=^/ (j)r for some unfolding tree 
f G By induction on the structure of t, one can build a bijective tree /jo : dom(t) — > 

dom{h), and define sets Sfj = {£ G dom(h) \ t{p a l {£)) = Rij and 3/? G dom(t) . p^ l (£) = 
p.d] for all d G 2)+(fP) and S^ 1 = G dom(/i) | ^ x (£) = e and f (e) = /?,•_,•}. Let 1' = 
l[r <— /Jo(e)] and v : LVar mso —*-fin 2 Loc be any interpretation of second order variables 
such that v(Xfj) = Sfj and v(r) = dom(h). By Proposition 1, we have S,T',V ^ ms0 
Heap(T). Next, we prove the following conditions: 

1. S,t',v \=mso backbone i(r,lt ,T) 

2. S,l',v \=ms inner jedges(r,X,T) 

3. S,l',V \= mso nojioublej2lloc(r,X,T) 

4. S,T',v \=mso paramij{r, X,T), for all 7 = l,...,n, 

(1) Let Xo : dom(t) -> {Xi,. . . ,X m } be a function defined as X(p) = Xj iff po(p) G S/. 
It is immediate that v(X,) = G dom(h) \ XqIpq 1 ^)) = Xi}. By Lemma 6 (Appendix 
A) it follows that: 

S,i',v hm. s « free(r, ^, r) Air'W 
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To show: 

i,t ,V \=mso succ _ labels(£) 

let Xjj be an arbitrary variable from it and let I e Sfj be a location. Hence t{^ l {i)) = 
Rij. Suppose that tail(Rij) — (P^ , • • • ,Pk, ), and let m = j uo(a'o ' W-^O for some arbitrary 
d E {1,. . .,ry}. Clearly m e Sj^ ., for some /' = 1, . . . ,n^ d . One can now easily check 
that: 

5,l'[x <- «- m],V \=mso succ d (x,y,t) 
which concludes this point. 

(2) If 5,l',V \= mo 3Y . <i> Al ,(r,X,T,\) then there exist sets U\,...,Uk Q Loc such 
that: 

S,r,v[Y <- U] h«,v« 4>A^(r, X,T, V ) 

By Lemma 6, there exists a unique prefix-closed set P C N* a unique bijective tree 
/j : P — ► dom(h) and a unique tree A- : P — > {X; , . . . ,X m } meeting the three properties of 
Lemma 6. Since dom(t), /jo and Ao meet the requirements of Lemma 6, it turns out that 
P = dom(t), // = fjQ and A = Ao- By Lemma 8, Ay has an accepting run Jt over A-o, such 
that Uj = v(Yj) = {/jq(p) | {p,1j) occurs on %}. Let £, m be two arbitrary locations such 
that: 

S,t[x ^t]\y±- m],v[2 <- it] h»« Y s sel (x)AY f (y) 

By Lemma 8, there exist positions /?i,/?2 S dom(t), such fhat/Jo(/?i) = ^ and /no(p2) = 
m), and variables a, p G LVar s i such that Ay has a run: 

over Ao, and implicitly, over f. Notice that, by the definition of Ay, ' and occur 
exactly once on each accepting run, and moreover, qy is the final state on the run. 

Hence, by Lemma 4, 5,1 \= s i a P[ = P P2 . Since i and m are allocated at p\ and p2 in 
t , respectively, there exists an edge I A m in 5. We have, subsequently: 

S,t'[x «- <- m],v K«» edges, (x,y) 
which concludes this point. 

(3) By contradiction, let us suppose that there exist two distinct locations I and m such 
that: 

S,l'[x ^ % ^ m],v[Y" <- it] Hm.v« *^(r,^,r,f ) AFoW AF/(y) 

By an argument similar to the one from point (2), there exist two variables a, P G LVar s [ 
such that By has a run: 

over Ao, or equivalently, over f . By the definition of By, ofo ^ = p^o ^ is a conse- 
quence of f and moreover both a and p are allocated at positions and ^ '(m) 
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in t, respectivelly. The latter facts contradict with the hypothesis that 5,1 \= s i (j) r , since, 
in this case, f would not be satisfiable, according to the semantics of SL. 
(4) This point follows the case split in the definition of pararriij and is proved among 
the same lines as point (2) above. 

"<^" If S,l, v[T <- dom(h)} \= mso Pi(x\, . . . ,xj, T), then there exists a location £ e Loc 
and sets L\,...,L m C Loc such that: 

i. S,l[r4-£],v[X <- l][T<- dom(h)] K«» backbone { (r, X,T) 

ii. S,l[r <— ^],v[X i— L][r <— dom(h)] \= mso inner _ed ges(r,X ,T) 

iii. S,l[r<-£},v[lt <- L][T 4- dom(h)} \= mso nojlouble_alloc(r, X,T) 

iv. S,Z[r<-£],v[l£ <- ~t][T <- dom(h)} \= mso paranii j(r,^,r),fora]l 1 < i < n and 
all 1 < j < m 

For simplicity, we denote i' = l[r <— £] and v' = v[X^ <— L ] [r <— dom(h)] in the rest of 
this proof. By (i) and Lemma 6, there exist a set P C N*, a bijective tree /i : P — > dom(h), 
and a tree X:P ^lt such that L, = {£ G dom(h) | A,(jU~ 1 (■£)) = X,}. Since each variable 
X,y from it corresponds one-to-one to the rule Rij from fP, we can build a tree t : P — > 1^ 
as f (/>) rf = Rij iff = % for all peP. Since, by (i): 

S,l',V \=mso succJabels(lt) AX^ l (r) 

we obtain that t is an unfolding tree (Def. 3), and moreover t E %(^P). It remains to be 
shown that S,l \= s i (jv To this end, we extend l to an assignment i t : LVar p — > Loc such 
that: 

1 . l t (x £ ) = l(x), for all x G LVar s i 

2. l,(x Pl ) = i(y ; ' 2 ), for all p u p 2 eP andx,y G LVar s i such that ty, x pi = y P2 

3. for all p G P, if head(t(p)) = jc i-> (yi,... ,y,) then l f (x'') A l t (yf) in 5, for all 
i= 1 , . . . , s, and moreover, there are no other outgoing edges from x t (x p ) in S 

Given i, p and t , defined above, we define i f as follows: 

- i t (xj) d = l(x]), for all j = 1, . . . , k 

def 

- \ t (x p ) = jj(j>), for all/? GP such that head(t(p)) ejch> (...) 

- for all x'' G LVar p not assigned previously, l< ^ i f (y 9 ) if and only if f — > x p = 
y 9 and y 9 is assigned by one of the above points 

Since fP is established, every existentially quantified variable G LVar p that occurs in 
(|) f is connected to an allocated variable y q , i.e. head{t{q)) = y q i-> (. . .), by a path of 
equalities x p = z p> = ■ ■ ■ = z p " = y q all occurring in Hence x t assigns locations to all 
existentially quantified variables in § t . Clearly, i t satisfies points (1) and (2) above. To 
show that l t meets point (3), fix an arbitrary position po G P such that head(t(po)) = 

(yi,. . . ,y s ). Observe first that, by (i), l t {x Po ) has no outgoing edges i,^ ) A I, for 

any i > s. For the rest, let us fix some arbitrary 1 < ;'o < s and show that i t (x Po ) A i t (yf° ) 
is an edge in S. There are two cases: 



29 



- is an existentially quantified variable of 

- jjt is a parameter Xj of the predicate P, 

We shall carry out the proof only in the first case, the reasoning being similar in the sec- 
ond. As previously discussed, if y^ is existentially quantified, there exists a sequence of 
equalities —z p x l = ...=Zn" occurring in (j) f , such that z n is allocated by head{t(p n )). 
By Lemma 4, Ay has a run from (po , q™ r ) to (p n , q™ r ) over t . Hence A <p has also a run: 

(po,qf),(Po,q V y a k r ),...,(Pn,qZ r ),(Pn,q f ) 

over t, and, equivalently, a loop-free run % over X. Let Uj = {p(p) \ (p, qj) occurs on %}. 
By Lemma 8, we obtain: 

s, t, V [f <- it] K«« ® a? (r, x\ r, 

and moreover, 

/u(p ) G f/f ' andju(p„) £ t//, where t/f ' and £// are the sets of locations 
corresponding to the states qf l and q f, respectivelly. We obtain, further: 

S,t[x ^n(poW <- n{Pn)\y hm. so 3f . * A ,(r,^,r,^) AY s se l (x) AY f (y) 
By (ii), we obtain: 

S,l'[x <-p{po)][y <^v(p n )],v' \=mso edge s {x,y) 

hence the conclusion follows. □ 

Lemma 10. Let Pi{x^\, . . . ,Xj tK ) be a predicate of a recursive definition system <£, S = 
(s,h) be a state, and l : LVar mso —*-fi n Loc andv : LVar mso — 2 Lot be interpretations 
of first and second-order variables, respectivelly. Then, for any state S', such thatS^S S' 
is defined, we have: 

S,l,v[T 4- dom(h)} \= mso Pi(x~J, . . . ,x~^, T) 
<^=> S\£S',1,V[T <-dom(h)\ ^ ms0 Pi(xU,...,x-^,T) 

Proof. The proof is done by inspection of P{x\, . . . ,x^, T). Namely we need to prove 
the following equivalences, for some £ <G Loc and sets S\,...,S m corresponding to the 
variables X\,... ,X m : 

S,l',V \=mso backbonei(r,X ,T) -<==> 5l±l5',i',v' \=mso backbone i{r,X ,T) 

o,l ,V \=mso inner _eages (r,X,r) S«S',i',v' \=ms inner j>dges{r, X,T) 

S,l',V \=mso noudoubleMlloc(r,X ,T) 4=> 5l±l5',l',v' \^ mso nojJoubleMlloc(r,X,T) 
S,l',v' \=ms paraniijir, X , T) <^ S W S',l',V \= mso para mi j(r, X, T) 

for all 1 < j < n, where i' = l[r 4- £] and v' = v[X^ «- S ] [T 4- dom{h)]. These equiv- 
alences can be proved by case analysis. □ 

Proof of Theorem 3: Let us first consider the case k = 0, i.e. (p is a basic SL formula 
cp = 3z . (j)(yo). By Lemma 3, for any state S = (s,h), we have that S \= s i (p if and only 
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if S,l \=mso ty(X) AHeap(X), where l is any interpretation such that i(X) = dom(h). 
Hence S \= mso 3 X . (p"( X) A Heap(X). Dually, if S h™, 3X . y(X) AHeap(X), then 
S,l[X <— L] \= mso <p(X) AHeap(X), where L C Loc is a set of locations. By Proposition 
1, we have L = dom(h). Hence 5,1 \= s i cp, by Lemma 3. 

The case k > is dealt with by induction on k. For = 1 we have cp = 3z . cb(yo) * 
p (yi)- "=^" If 5 hrf 3z • <K v o) *P(yi) then 5,1 \= s i (p(y ) *P(yi) for some interpretation 
l : LVar s [ — Loc, such that i(jc) 7^ _L, for all x 6 z. Hence there exists two states 
Si = (*,/ti) and S2 = (j,/i2) such that Si WS2 = S, and moreover Si, I |=^/ <|>(yo) and 
S2,l \=sl P(yi)- Applying Lemma 3 and 5, respectivelly, we obtain: 

Si,i[X 4- dom(hi)] \= mso $(y5,X ) AHeap(X ) 
S 2 ,i[Xi <- dom{h 2 )] \=mso P(yl,Xi) AHeap{X{) 

where T : LVar mso ~^fi„ (Locli2 Loc ) is an interpretation meeting the require menets of 
both Lemma 3 and 5. Applying Lemma 9 and 10, respectivelly, we obtain: 

S,l[X Q <- dom(hi)} \= mso $(yo,^o) 
S,T[Xi <- dom(h 2 )\ \= mso P(jT,Xi) 

Since Si W S 2 = S, we obtain: 

S,l[X <- dom(h)} h„,.„ 3X 3Xi . cb(yo,X ) AP(yT,Xi) An(X ,Xi,X) 
S,i[X <- dom(A)] hm. so 3z3X 3X! . cb(y5,X ) AP(yT,Xi) An(X ,Xi,X) 

and by Proposition 1 we also have S,l[X <— dom(h)] Heap(X). The conclusion 
follows. "<S=" If S |=ms . cp(X) AHeap(X), then for any interpretation T : LVar mso — ^ ( -, 
(LocU2 Lot ) we have S,T[X <— dom(h)] \= mso ty(X), by Proposition 1. Hence there exists 
L\,L 2 C dom(h), such that Li (~1L 2 = 0, £1 UL2 = dom(h), and: 

S,T[X <- Li] hm.vo <Ryo,X ) 
S,T[Xi ^L 2 ] hm.v 0J P(yT,Xi) 

Let /!i,/i2 be the restrictions of h to L\, L 2 , respectivelly, and Si = {s,h\), S 2 — (s,h 2 ). 
Clearly S = Si W S2. By Lemma 9 and 10, respectivelly, we have that: 

Si,T[X <- Li] \= mso W3ti,X ) 

s 2 ,t[Xi 4-14 K« P(yT,Xi) 

and by Lemma 3 and 5, respectivelly, we obtain: 

Si, I K-/ <K v o) 

s 2 ,i Kv/ P(yi) 

for an intepretation 1 : LVar s i —'■fin Loc meeting the conditions of Lemma 3 and 5. Hence 
S,l \= s i <(>(yo) *P(yi). which leads to S Kv/ 3z . <p(y ) *P(yi). 

The induction step follows a similar argument. □ 
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